At the end of last week Facebook revealed that an API bug had given developers of third-party apps access to the photos of millions of users.

A flaw in Facebook’s code had allowed apps already given permission to access users’ timeline photos to also hoover up images in Facebook Stories, Marketplace photos, and even those photos that had been uploaded to Facebook but never shared.

When someone gives permission for an app to access their photos on Facebook, we usually only grant the app access to photos people share on their timeline. In this case, the bug potentially gave developers access to other photos, such as those shared on Marketplace or Facebook Stories. The bug also impacted photos that people uploaded to Facebook but chose not to post. For example, if someone uploads a photo to Facebook but doesn’t finish posting it - maybe because they’ve lost reception or walked into a meeting - we store a copy of that photo for three days so the person has it when they come back to the app to complete their post.

Currently, we believe this may have affected up to 6.8 million users and up to 1,500 apps built by 876 developers. The only apps affected by this bug were ones that Facebook approved to access the photos API and that individuals had authorized to access their photos.

Facebook says “We’re sorry this happened”, and that it is proving app developers with tools to see if they were impacted, in order to help them delete any photographs to which they should not have had access.

According to the social media giant the flaw existed for 12 days between September 13-25 2018.

Which leads to an obvious next question - how come Facebook only went public about the problem on December 14th? It found out about the problem on September 25th. That means it took almost three months for Facebook to come clean that it had put its users privacy at risk.

You would think after Facebook’s troubled year it would show a little more urgency in admitting it had a problem, and reassuring users it was on top of the problem.

Or maybe that’s the problem. Maybe Facebook is having such a terrible year that it’s choosing to make its more embarrassing admissions at times that are most likely to reduce the attention of the media.

It’s not the first time I’ve noticed Facebook admitting a privacy gaffe on a Friday…

Oh, and if you want more fuel for this theory consider this. Facebook discovered anotherserious security hole on September 25th (announced on September 28th) that left tens of millions of accounts exposed to attackers.

Did Facebook deliberately keep schtum about the photo privacy bug until now so as not to make September’s announcement even worse?

I quit Facebook earlier this year. If you’re finding it hard to imagine doing the same, why not listen to this “Smashing Security” podcast we put together describing the process of quitting Facebook:

Smashing Security #75: ‘Quitting Facebook’
Your browser does not support this audio element.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!